CVE-2026-3635
Header Spoofing in Fastify trustProxy Causes Security Bypass
Publication date: 2026-03-23
Last updated on: 2026-04-16
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastify | fastify | to 5.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-348 | The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3635 is a vulnerability in the Fastify web framework versions up to 5.8.2 that occurs when the trustProxy option is configured with a restrictive trust function, such as specifying a single IP address, a subnet, a hop count, or a custom function.
Under these restrictive configurations, the request.protocol and request.host getters incorrectly read the X-Forwarded-Proto and X-Forwarded-Host headers from all incoming connections, including those from untrusted IP addresses.
This flaw allows an attacker who connects directly to the Fastify server, bypassing the trusted proxy, to spoof the protocol and host values that the application sees.
How can this vulnerability impact me? :
Applications that rely on request.protocol or request.host for security decisions are affected by this vulnerability when using restrictive trustProxy configurations.
- It can undermine HTTPS enforcement, allowing an attacker to spoof the protocol.
- It can affect secure cookie flags, potentially exposing cookies that should be secure.
- It can bypass CSRF origin checks by spoofing the host.
- It can cause incorrect URL construction or host-based routing decisions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the Fastify server is configured with a restrictive trustProxy setting and improperly reads X-Forwarded-Proto and X-Forwarded-Host headers from untrusted connections. To detect it, you can check your Fastify server configuration for the trustProxy option and verify if it uses a restrictive trust function such as a specific IP, subnet, hop count, or custom function.
Additionally, monitoring incoming requests that include X-Forwarded-Proto or X-Forwarded-Host headers from IP addresses that are not part of your trusted proxy list can help identify attempts to exploit this vulnerability.
While no specific commands are provided in the available resources, you can use network monitoring tools or log analysis to filter requests with these headers coming from untrusted IPs.
For example, using command-line tools like tcpdump or tshark to capture HTTP headers, or grep to search server logs for suspicious X-Forwarded-Proto or X-Forwarded-Host headers from unexpected IP addresses, may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Fastify to version 5.8.3 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, review and adjust your trustProxy configuration. Avoid using restrictive trust functions that specify single IPs, subnets, hop counts, or custom functions that may cause the server to trust forwarded headers from untrusted sources.
Alternatively, setting trustProxy to true (trust all proxies) is not vulnerable to this issue, but this may not be suitable for all environments.
Also, consider implementing additional network-level protections to ensure that only trusted proxies can connect to your Fastify server, such as firewall rules or network segmentation.